1. Field of the Invention
The present invention relates to a data communication system which transmits encrypted contents and header information for decrypting the encrypted contents from a content distribution system to a plurality of user systems.
2. Description of the Related Art
Conventionally, in broadcast-type content distribution business, broadcast program content is encrypted, and the encrypted content is distributed to users. For example, a user decrypts encrypted content by using an authorized decryption unit leased by a distributor, and views/listens to the broadcast program through the obtained content. In broadcast-type content distribution business, however, there are unauthorized users who produce pirate decryption units (unauthorized decryption units) by copying internal information (decryption key or the like) of an authorized decryption unit, and can illegally decrypt encrypted content.
Various types of unauthorized user specifying methods are known, which can specify such an unauthorized user. Such unauthorized user specifying methods are classified into three types according to decryption key generation methods for users. The first type is a method based on a combinatorial arrangement. The second type is a method based on a tree structure. The third type is a method based on an algebraic arrangement.
The first unauthorized user specifying method has a problem that a very large transmission overhead is required to sufficiently decrease the probability at which an authorized user who is not concerned in the generation of an unauthorized decryption unit is erroneously detected as an unauthorized user.
The second and third unauthorized user specifying methods solve this problem and achieve efficient transmission overhead.
An unauthorized decryption unit may store a plurality of decryption keys or data having functions equivalent to decryption keys in a conspiracy involving a plurality of unauthorized users. Black box tracking is sometimes performed for this unauthorized decryption unit to specify an unauthorized user by observing only the input/output of the unit without breaking it open. More specifically, a tracker who performs black box tracking assumes a candidate for an unauthorized user (to be referred to as a suspect hereinafter) and checks whether the decryption key of the suspect is held by an unauthorized decryption unit, by only observing the input/output of the unauthorized decryption unit.
In the second and third unauthorized user specifying methods, one of the following two problems is left unsolved:
Problem 1: In black box tracking, the intention of each input (assumed suspect) is known by an unauthorized decryption unit. If a smart unauthorized decryption unit reads the intention of an input and prevents the unauthorized user from being specified, black box tracking fails. This failure leads to a problem that an unauthorized user cannot be specified, or an innocent user is falsely accused.
Problem 2: Although an unauthorized decryption unit cannot read the intention of an input, the probability of correctly specifying an unauthorized user trades off with a transmission overhead. If, therefore, the transmission overhead is made efficient, the probability of correctly specifying an unauthorized user greatly decreases. The number of processing steps required for black box tracking is exponential, and hence such black box tracking is impracticable because a set of nCk=n!/{k!(n−k)!} suspects must be checked, where n is the total number of users and k is the maximum number of conspirators in a coalition.
As described above, the conventional unauthorized user specifying methods fail in black box tracking with respect to smart unauthorized decryption units. In consideration of this problem, reference 1 (T. Matsushita and H. Imai, “Hierarchical Key Assignment for Efficient Public-key Black-Box Tracing against Self-Defensive Pirates”, IEICE Information Security Research, ISEC 2006-52, pp. 91-98, July 2006) discloses an unauthorized user specifying method which can reliably execute black box tracking even with respect to a smart unauthorized decryption unit without allowing it to know the intention of an input.
The unauthorized user specifying method disclosed in reference 1 has achieved a more efficient transmission overhead. However, this method is not aimed at a smarter unauthorized decryption unit which can store past inputs. Using a smarter decryption unit which can store past inputs may make it possible to guess the intention of a current input. That is, it is necessary for the unauthorized user specifying method disclosed in reference 1 to assume that no unauthorized decryption units store any past inputs. Assume that an unauthorized decryption unit is implemented by software (a program). In this case, copies of the program are generated in a number corresponding to the number of tests conducted, and the different (copied) programs are used for the respective tests. In addition, the number of inputs to be supplied to one program is limited to one. This prevents the unauthorized decryption unit from storing past inputs, and hence can specify an unauthorized user under the above assumption.
It is, however, preferable to allow black box tracking for even a smarter decryption unit which stores past inputs and operates on the basis of the inputs to hinder the specification of an unauthorized user.
Reference 2 (A. Kiayias and M. Yung, “On Crafty Pirates and Foxy Tracers”, Security and Privacy in Digital Rights Management, Revised Papers from the ACM CCS-8 Workshop DRM 2001, LNCS 2320, pp. 22-39, Springer-Verlag, 2002) discloses an unauthorized user specifying method against unauthorized decryption units which store past inputs. However, this method is of the first type described above, and hence it is necessary to greatly increase the transmission overhead. Even in this unauthorized user specifying method aimed at such unauthorized decryption units, it is preferable to reduce the transmission overhead. In addition, it is preferable that after an unauthorized user is specified, the decryption key can be updated to completely exclude the unauthorized user from the system.
As described above, the conventional unauthorized user specifying method cannot specify an unauthorized user with a small transmission overhead from a smart unauthorized decryption unit which stores input data, which is input to the unauthorized decryption unit to specify the unauthorized user, and hinders the specification of the unauthorized user on the basis of the stored input data.